cvs commit: www/en send-pr.sgml www/en/cgi Makefile confirm-code.cgi sendpr-code.cgi

Simon L. Nielsen simon at FreeBSD.org
Sun Dec 4 16:55:02 GMT 2005 

On 2005.12.04 16:18:40 +0000, Ceri Davies wrote:
> ceri        2005-12-04 16:18:40 UTC
> 
>   FreeBSD doc repository
> 
>   Modified files:
>     en                   send-pr.sgml 
>     en/cgi               Makefile confirm-code.cgi 
>   Removed files:
>     en/cgi               sendpr-code.cgi 
>   Log:
>   Refactor the "confirmation code" stuff into a general purpose script.
>   
>   confirm-code.cgi contains a preconfigured list of databases and their
>   parameters.  When a request comes in, the database in the request's 'db'
>   parameter is checked for validity, and a code is generated, stored in
>   the appropriate database and returned.
>   
>   Use this new script in send-pr.sgml and remove sendpr-code.cgi which is
>   now superceded.
[...]
> | --- www/en/cgi/confirm-code.cgi	2005/11/11 08:58:06	1.5
> | +++ www/en/cgi/confirm-code.cgi	2005/12/04 16:18:40	1.6
[...]
> | @@ -22,52 +25,81 @@ my @availchars = qw(A B C D E F G H J K 
> |  $pnmcat = "/usr/local/bin/pnmcat";
> |  $pnmtopng = "/usr/local/bin/pnmtopng";
> |  $pnmdatadir = "../gifs/";
> | -$dbpath = "/tmp/sendpr-code.db";
> | -$expiretime = 2700;		# seconds until code expires
> | +$expiretime = 0;	# Default for the Expires: header
> |  ############################################
> |  
> | +# The code databases that we know about.  If a query comes in for
> | +# anything else, we return a zero byte "image" (rather than an image
> | +# with a rude word in, which was tempting).
> | +
> | +%db = (
> | +# The querypr one is not used, but stands as an example.
> | +#	querypr => {
> | +#		path => '/tmp/querypr-code.db',
> | +#		lifespan => 2700,
> | +#	},
> | +	sendpr => {
> | +		path => '/tmp/sendpr-code.db',
> | +		lifespan => 2700,
> | +	},
> | +);

Could we put the database somewhere else, IE. not in a world writeable
directory, so we don't have obvious potential temporary file
vulnerabilities?

While the real problem is very small (since so few people have access
to www) I would on principle greatly prefer to have the database
somewhere else, e.g. under /usr/local/www/var/confirm-code ?

I can create the directory and set apropriate permimssions for this to
work.

-- 
Simon L. Nielsen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/cvs-doc/attachments/20051204/4a101c79/attachment.bin

More information about the cvs-doc mailing list